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Foreword 

The  Federal  Information  Processing  Standards  Publication  Series  of  the  National 
Bureau  of  Standards  is  the  official  publication  relating  to  standards  adopted  and 
promulgated  under  the  provisions  of  Public  Law  89-306  (Brooks  Bill)  and  under 
Part  6  of  Title  15,  Code  of  Federal  Regulations.  These  legislative  and  executive 
mandates  have  given  the  Secretary  of  Commerce  important  responsibilities  for  im¬ 
proving  the  utilization  and  management  of  computers  and  automatic  data  processing 
systems  in  the  Federal  Government.  To  carry  out  the  Secretary’s  responsibilities,  the 
NBS,  through  its  Institute  for  Computer  Sciences  and  Technology,  provides  leadership, 
technical  guidance,  and  coordination  of  Government  efforts  in  the  development  of 
guidelines  and  standards  in  these  areas. 

The  subject  areas  of  personal  privacy,  data  confidentiality  and  computer  security 
are  of  the  greatest  national  interest.  The  Secretary  of  Commerce  has  identified  the 
efforts  required  to  provide  solutions  to  technical  problems  encountered  in  these  areas 
as  personal  objectives  in  the  Department’s  overall  program. 

Data  confidentiality  and  computer  security  are  dependent  upon  the  application 
of  a  balanced  set  of  managerial  and  technological  safeguards.  Within  the  context 
of  a  total  security  program,  the  NBS  is  pleased  to  make  this  Guideline  on  Evaluation 
of  Techniques  for  Automated  Personal  Identification  available  for  use  by  Federal 
agencies. 

Ruth  M.  Davis,  Director 
Institute  for  Computer  Sciences 
and  Technology 


Abstract 

This  publication  provides  a  guideline  to  be  used  by  Federal  organizations  in  the 
selection  and  evaluation  of  techniques  for  automatically  verifying  the  identity  of 
individuals  seeking  access  to  computer  systems  and  networks  via  terminals,  where 
controlled  accessibility  is  required  for  security  purposes.  The  guideline  describes  various 
techniques  for  verifying  identity  and  provides  a  set  of  criteria  for  the  evaluation  of 
automated  identification  systems  embodying  these  techniques. 

Keywords:  ADP  security;  computer  networks;  controlled  accessibility;  encryption; 
evaluation  criteria;  key;  password;  personal  identification;  terminals;  verification. 
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lead  to  a  more  comprehensive  understanding  of  the  capabilities  and  limitations  of  available 
techniques.  In  this  regard,  comments  and  critiques  concerning  applications  experience  will  be 
welcomed.  These  should  be  addressed  to  the  Associate  Director  for  ADP  Standards,  Institute 
for  Computer  Sciences  and  Technology,  National  Bureau  of  Standards,  Washington,  D.C.  20234. 

Where  to  Obtain  Copies.  Copies  of  this  publication  are  for  sale  by  the  National  Technical  Infor¬ 
mation  Service,  U.S.  Department  of  Commerce,  Springfield,  Virginia  22161.  When  ordering,  refer 
to  Federal  Information  Processing  Standards  Publication  48  (NBS-FIPS-PUB-48)  and  title. 
When  microfiche  is  desired,  this  should  be  specified.  Payment  may  be  made  by  check,  money  or¬ 
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EXECUTIVE  OVERVIEW 

The  Privacy  Act  of  1974  (5  U.S.C.  552a)  imposes  numerous  requirements  upon  Federal 
agencies  to  prevent  the  misuse  of  information  about  individuals  and  assure  its  integrity  and  se¬ 
curity.  These  requirements  will  be  met  by  the  application  of  selected  managerial,  administrative 
and  technical  procedures  which,  in  combination,  can  be  used  to  achieve  the  objectives  of  the  Act. 

This  Guideline  discusses  techniques  for  the  identification  of  individuals  for  the  purpose  of 
controlling  access  to  computer  networks.  Measurement  of  the  effectiveness  of  personal  identifi¬ 
cation  devices  is  described  and  evaluation  criteria  are  presented  as  a  guide  in  comparing  and 
selecting  appropriate  techniques  and  devices. 

There  are  three  general  bases  on  which  the  identity  of  an  individual  may  be  verified,  name¬ 
ly,  something  known  by  the  individual,  something  possessed  by  the  individual,  or  something 
about  the  individual  (physiological  attributes,  such  as  fingerprints,  hand  geometry,  signatures, 
and  voice  prints).  These  three  categories  are  discussed  in  the  Guideline,  together  with  system 
considerations  and  possible  forms  of  compromise.  The  distinction  between  intrapersonal  and  in¬ 
terpersonal  variability  is  pointed  out. 

The  performance  of  devices  based  on  physiological  attributes  may  be  less  than  ideal,  and  a 
compromise  may  be  necessary  between  the  possible  rejection  of  a  small  percentage  of  au¬ 
thorized  individuals  and  the  acceptance  of  a  small  percentage  of  unauthorized  individuals. 
Devices  may  generally  be  adjusted  for  a  trade-off  between  these  two  categories,  such 
that  the  most  important  category  for  a  particular  application  may  be  emphasized  at  the 
expense  of  the  other  category.  Greater  certainty  may  be  achieved  by  combining  two  or  more 
methods  of  identification,  provided  that  the  appropriate  decision  rules  are  employed,  and  this 
subject  is  considered  in  the  Guideline. 

Accurate  verification  of  the  identity  of  an  intended  user  does  not  completely  eliminate  the 
risk  of  unauthorized  access,  since  an  authorized  individual  might  be  persuaded  to  gain  access 
on  behalf  of  an  authorized  individual  through  collusion  or  extortion,  or  he  might  carry  out  an 
unauthorized  activity  for  reasons  of  his  own.  The  Guideline  discusses  other  provisions  for 
countering  these  threats  which  can  be  incorporated  in  a  system  for  use  as  adjuncts  to  the  per¬ 
sonal  identification  techniques. 
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GUIDELINE  ON  EVALUATION 
OF 

TECHNIQUES  FOR  AUTOMATED  PERSONAL  IDENTIFICATION 


1.  Introduction 

Attention  has  recently  been  focused  on  com¬ 
puter  security  and  the  safeguarding  of  data 
confidentiality  for  the  purpose  of  protecting 
personal  privacy.  This  has  emphasized  the  need 
for  accurately  establishing  the  identity  of  in¬ 
dividuals  authorized  to  have  access  to  computer 
systems.  There  is  a  recent  legislative  mandate 
for  this  need,  within  the  Federal  Government, 
as  embodied  in  the  Privacy  Act  of  1974  (5 
U.S.C.  552a).  Through  this  law,  the  Congress 
has  asserted  that  “the  privacy  of  an  individual 
is  directly  affected  by  the  collection,  main¬ 
tenance,  use  and  dissemination  of  personal  in¬ 
formation  by  Federal  agencies.”  Congress  has 
further  recognized  the  potential  of  the  com¬ 
puter  to  be  used  for  intruding  upon  individual 
privacy  and  has  laid  down  requirements  for 
regulating  the  handling  of  personal  informa¬ 
tion  within  the  Government^].1 

Control  of  access  to  computer  systems  and 
networks  is  becoming  increasingly  important 
as  computers  are  entrusted  with  more  sensitive 
applications  and  more  valuable  information. 
Much  emphasis  has  been  placed  in  recent  years 
on  increasing  the  accessibility  of  the  computer 
in  order  to  accommodate  the  user  and  to  en¬ 
hance  his  ability  to  interact  with  it.  This  has 
posed  new  threats  to  system  security  and  has 
emphasized  the  need  for  moer  adequate  safe¬ 
guards  against  unauthorized  access  and  the 
misuse  of  computer  resources  [1,  11,  19]. 

1.1.  Need  for  Personal  Identification 

Central  to  the  implementation  of  safeguards 
required  by  the  Privacy  Act  is  the  ability  to 
establish  the  identification  of  individuals:  in¬ 
dividuals  who  operate  computers,  write  pro¬ 
grams  for  computers,  prepare  and  enter  data, 
enter  queries,  receive  output,  and  those  who 
repair  computers  |  4,  9],  For  a  broader  treat¬ 
ment  of  security  system  implications  of  the 
Privacy  Act,  the  reader  is  referred  to  Computer 


1  Figures  in  brackets  indicate  the  literature  references  at  the 
end  of  this  paper. 


Security  Guidelines  for  Implementing  the 
Privacy  Act  of  1974,  FIPS  PUB  41  [18], 

This  Guideline  considers  a  number  of  ap¬ 
proaches  to  providing  protection  against  un¬ 
authorized  access  by  verifying  the  identifica¬ 
tion  of  individuals  seeking  to  access  computer 
systems.  The  emphasis  is  upon  approaches, 
rather  than  upon  specific  devices.  A  set  of 
evaluation  criteria  is  given  for  assessing  and 
comparing  the  suitability  of  alternative  iden¬ 
tification  devices. 

1.2.  “Absolute”  Identification  Versus 
Verification  of  Identification 

A  distinction  should  be  drawn  between 
carrying  out  an  “absolute”  identification  as  op¬ 
posed  to  simply  verifying  an  identification.  In 
an  “absolute”  identification,  a  determination  is 
made  as  to  the  identity  of  an  individual,  inde¬ 
pendently  of  any  information  supplied  by  the 
individual ;  the  individual  may  be  uncoopera¬ 
tive,  and  in  fact  may  be  unaware  that  his  iden¬ 
tity  is  being  sought.  For  example,  a  set  of 
fingerprints  might  be  obtained  from  a  suspect 
apprehended  under  suspicion ;  these  could  then 
be  sent  to  a  fingerprint  technician  to  be  classi¬ 
fied,  and  then  a  file  could  be  searched  until  a 
match  was  obtained.  The  identity  of  the  indi¬ 
vidual  could  then  be  obtained  from  the  card 
containing  the  matching  set  of  file  prints. 

The  personal  identification  process,  as  con¬ 
sidered  in  this  Guideline,  is  more  properly  con¬ 
sidered  identity  verification.  In  this  process,  a 
would-be  terminal  user  is  assumed  to  be  coop¬ 
erative  and  presents  a  claimed  identity  to  the 
system.  The  individual  is  then  required  to  carry 
out  a  certain  “procedure”  which  provides  the 
system  with  the  data  necessary  to  either  con¬ 
firm  or  refute  the  claimed  identity.  This  proc¬ 
ess  compares  a  set  of  data  derived  from  the 
individual  with  the  corresponding  set  of  data 
retrieved  from  a  file  or  other  source,  based 
on  the  claimed  identity.  If  the  two  sets  of  data 
can  be  matched  within  a  certain  tolerance,  the 
identity  is  considered  to  be  verified.  It  should 
be  noted  that  this  verification  process  does  not 
require  an  extensive  searching  process  as  might 
be  required  for  a  true  identification  process. 
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2.  Three  Basic  Methods  of  Establishing 
Identity 

There  are  three  basic  methods  by  which  the 
identity  of  an  individual  may  be  established: 

(1)  Something  KNOWN  by  the  individual; 

(2)  Something  POSSESSED  by  the  individ¬ 

ual  ; 

(3)  Something  ABOUT  the  individual  [2]. 

The  first  category  includes  such  things  as  a 
password,  the  combination  to  a  lock,  or  facts 
from  an  individual’s  personal  background.  The 
second  category  includes  artifacts,  such  as 
badges,  passes,  cards  with  machine-readable 
information,  and  keys  to  locks.  The  third  cate¬ 
gory  includes  physiological  attributes,  such  as 
an  individual’s  appearance,  voice,  fingerprints, 
and  hand  geometry. 

2.1.  Something  KNOWN  to  an  Individual 

Verification  of  identity  through  the  use  of 
an  item  of  information  known  only  to  an  indi¬ 
vidual,  or  to  a  limited  set  of  individuals,  is 
exemplified  by  the  password.  Passwords  are 
presently  the  most  commonly  used  method  of 
controlling  access  to  time-sharing  systems. 
This  method  can  be  extended  to  provide  for 
multiple  passwords  and  question-and-answer 
sequences.  The  latter  would  typically  include  a 
random  subset  of  items  selected  from  a  file  of 
known  information,  such  as  names  of  family 
members,  schools  attended,  teachers,  events  of 
personal  history,  or  other  facts. 

Of  course,  anything  known  by  one  individual 
may  become  known  by  another,  who  may  then 
succeed  in  an  attempt  at  impersonation.  In  as¬ 
signing  passwords,  it  is  preferable  for  each 
user  to  have  his  own  password,  rather  than  to 
use  the  same  password  for  a  set  of  users. 
Whenever  a  system  is  accessed,  it  should  keep 
a  log  of  the  password  used  and  the  nature  of 
the  access.  This  permits  the  activities  of  vari¬ 
ous  users  to  be  audited.  In  the  event  that  an 
unauthorized  activity  should  come  to  light,  this 
audit  trail  would  indicate  the  password  that 
was  involved  and  would  point  toward  the  pos¬ 
sible  culprit.  With  individual  passwords,  an 
individual  could  not  allow  his  password  to  be 
used  by  an  accomplice  without  exposing  him¬ 
self  to  suspicion.  Or,  if  a  password  were  stolen, 
the  likely  source  would  be  evident  and  steps 
could  be  taken  to  achieve  increased  security 
awareness.  Individual  passwords  can  be  used 
by  the  system  in  controlling  access  by  users  to 


specific  system  resources,  including  informa¬ 
tion  files  and  applications. 

The  generation  of  passwords  ideally  should 
be  done  under  centralized  control  [  3] .  The 
selection  of  passwords  should  avoid  any  obvious 
bases,  such  as  the  individual’s  middle  name  or 
initial.  In  some  cases,  it  might  be  desirable  to 
generate  passwords  by  a  random  process, 
though  in  this  case  the  use  of  a  known  algo¬ 
rithm  which  generates  pseudorandom  data 
should  be  avoided.  (A  true  random  process 
would  occasionally  produce  duplicate  pass¬ 
words  ;  this  can  be  avoided  by  using  a  technique 
such  as  sampling  without  replacement.)  Pass¬ 
words  should  be  as  long  as  feasible,  consistent 
with  requirements  for  memorization  and  use, 
thus  reducing  the  possibility  of  determining 
them  by  trial  and  error.  Passwords  should  be 
changed  at  intervals,  and  at  any  time  that  they 
are  suspected  to  have  been  compromised. 

A  log  should  be  kept  of  such  changes  show¬ 
ing  the  date  of  change,  new  password,  and 
authority.  The  authorizing  official  should  sign 
the  log  personally  each  time  a  change  is  made. 

The  degree  of  security  provided  by  the  pass¬ 
word  (or  the  combination  to  a  lock)  is  largely 
dependent  upon  the  possible  number  of  com¬ 
binations  from  which  it  is  chosen  [13].  As  a 
very  elementary  case,  consider  a  password 
which  consists  merely  in  flipping  a  coin.  As¬ 
sume  that  if  the  coin  comes  up  “heads,”  access 
will  be  granted,  but  if  it  comes  up  “tails,” 
access  will  be  denied.  What  is  the  probability 
that  a  would-be  user  would  be  granted  access 
on  the  basis  of  a  single  toss  of  the  coin?  Since 
there  are  only  two  possibilities,  both  equally 
probable,  he  has  a  50  percent  chance  of  being 
successful.  If  he  were  to  seek  access  on  a  num¬ 
ber  of  occasions,  he  would  be  successful  half 
the  time,  on  the  average.  Now  suppose  that  for 
each  attempted  access,  two  successive  tosses 
were  required,  and  that  access  would  be  granted 
only  for  the  sequence  “heads-heads.”  There  are 
now  four  possible  combinations,  only  one  of 
which  is  valid,  so  the  possibility  of  gaining 
access  by  chance  is  reduced  to  25  percent.  By 
extension,  the  change  of  achieving  the  right 
combination  for  a  sequence  of  n  tosses  is  1  in 
2”. 

Suppose,  now,  that  instead  of  a  coin,  the 
would-be  user  is  required  to  use  dice.  Since  a 
die  has  six  sides,  instead  of  two,  the  previous 
expression  becomes  1  in  6".  Now  consider  a 
combination  lock  having  n  dials,  each  divided 
into  10  steps..  The  expression  for  this  case  is 
1  in  10".  Many  combination  locks  have  a  single 
dial  with  perhaps  50  to  100  steps,  but  a  series 
of  right  and  left  rotations  are  required  to  dial 
the  full  combination.  The  expression  for  such 
a  lock  would  be  more  complex  but  basically 
would  be  obtained  by  similar  reasoning. 
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Now  consider  a  password  consisting  of  n 
letters  chosen  from  the  26  letters  of  the  alpha¬ 
bet.  It  would  appear  that  the  chance  of  achiev¬ 
ing  such  a  combination  by  chance  is  1  in  26". 
However,  this  is  greatly  reduced  if  the  number 
of  allowable  combinations  is  constrained  in 
some  manner.  Are  the  passwords  to  be  pro¬ 
nounceable?  Then  perhaps  every  second  or 
third  letter  is  a  vowel,  of  which  there  are  only 
5.  Consider  an  elementary  password  consisting 
of  3  letters  chosen  at  random  from  an  entire 
alphabet ;  the  number  of  such  combinations  is 
268  =  17,576.  But  suppose  this  is  restricted  to 
combinations  consisting  of  consonant-vowel- 
consonant.  The  number  of  such  combinations  is 
21  X  5  X  21  =  2205,  or  about  one  eighth  as 
many  as  before.  If  the  choice  of  passwords  is 
further  restricted  to  valid  words  and  names 
in  the  language,  a  still  more  drastic  reduction 
in  the  number  of  combinations  occurs. 

There  is  another  way  in  which  this  phenom¬ 
enon  of  reduction  in  combinations  can  occur. 
Consider  that  the  letters  of  the  alphabet  are 
being  used,  but  that  they  are  being  typed  on  a 
keyboard  and  that  each  character  is  repre¬ 
sented  by  a  seven-bit  code.  Each  character  of 
code  would  be  capable  of  representing  27  =  128 
combinations,  yet  only  the  26  combinations  rep¬ 
resenting  the  alphabet  are  being  employed  in 
this  case.  Thus,  for  a  string  of  n  characters,  the 
allowable  combinations  would  be  26",  whereas 
the  number  of  combinations  that  could  be  real¬ 
ized  with  this  many  seven-bit  characters  would 
be  128"  or  about  5"  times  as  many  combinations. 

In  assessing  the  security  of  a  given  password 
scheme,  it  is  important  to  consider  the  number 
of  allowable  combinations  for  valid  passwords, 
rather  than  the  theoretical  number  of  com¬ 
binations  which  might  be  obtainable  based  on 
the  number  of  symbols  and  the  length  of  the 
sequence  employed.  The  more  characters  a 
password  contains,  the  more  combinations  are 
possible ;  however,  this  is  likely  to  increase  the 
difficulty  of  memorizing  and  using  it  and  may 
increase  the  likelihood  of  its  being  written 
down  in  a  convenient  place. 

Systems  employing  passwords  should  be  de¬ 
signed  in  such  a  way  that  the  passwords  can 
be  entered  in  a  concealed  manner.  It  should 
not  be  possible  to  discover  a  password  simply 
by  obtaining  a  scrap  printout  from  the  trash. 
Defenses  employed  against  this  latter  threat 
include  the  following: 

(1)  On  hardcopy  (printing)  terminals  the 
password  may  be  obscured  by  automatically 
overprinting  (or  underprinting)  several  times 
in  the  area  where  the  password  is  to  be  typed. 

(2)  On  a  softcopy  (CRT)  terminal  the 
screen  may  be  immediately  erased  upon  entry 
of  a  character  or  password. 

(3)  On  either  a  hardcopy  or  softcopy  ter¬ 
minal  operating  in  a  full  duplex  mode  the  pass¬ 


word  may  be  kept  from  appearing  by  not 
echoing  it. 

(4)  The  password  may  be  kept  from  appear¬ 
ing  by  using  a  sequence  of  non-printing  (or 
non-displayed)  characters,  although  such  a 
sequence  might  be  more  difficult  to  remember 
than  an  alphanumeric  sequence. 

There  is  a  certain  risk  of  exposure  at  the 
time  that  a  password  is  actually  entered.  For 
example,  the  user  might  be  observed  entering 
the  password,  or  it  might  be  obtained  by  a  wire¬ 
tap.  Encrypting  the  data  between  the  terminal 
and  the  computer  can  protect  against  the  wire¬ 
tap  threat.  Another  possibility  is  to  use  one¬ 
time  passwords.  For  this,  the  users  are  given 
lists  of  passwords  and  choose  the  next  one  in 
succession  for  each  use.  Alternatively,  they 
could  be  supplied  with  a  new  one  after  each 
use  (assuming  that  a  secure  method  of  deliv¬ 
ery  were  available) .  The  advantage  of  one-time 
passwords  is  that  any  password  which  might 
be  observed  or  intercepted  would  not  be  usable 
by  an  intruder  for  another  access. 

2.2.  Something  POSSESSED  by  an  Individual 

Locks  and  keys  constitute  a  familiar  access 
mechanism  and  one  which  is  frequently  asso¬ 
ciated  with  operator’s  consoles  and  maintenance 
panels.  Computer  terminals  have  also  been 
fitted  with  locks.  The  degree  of  security  af¬ 
forded  by  a  lock  and  key  is  limited,  however, 
since  a  key  can  be  lost  or  stolen,  and  many 
locks  are  not  difficult  for  an  expert  to  pick.  If 
a  key  falls  into  the  hand  of  an  unauthorized 
person,  it  may  be  necessary  to  rekey  the  lock, 
which  can  be  a  nuisance.  Further,  the  key 
might  be  duplicated  and  returned  by  an  un¬ 
authorized  person,  without  the  owner  being 
aware  of  its  loss.  Thereafter,  unauthorized 
access  could  be  gained  without  anyone  realiz¬ 
ing  that  it  was  taking  place. 

More  sophisticated  means  of  access  control 
are  becoming  available,  usually  in  the  form  of 
a  card  having  some  type  of  machine-readable 
data  encoded  on  it.  The  data  are  generally  rep¬ 
resented  in  such  a  manner  as  to  be  difficult  for 
a  would-be  counterfeiter  to  read,  interpret,  or 
duplicate.  Provisions  can  be  included  for  as¬ 
signing  unique  codes  to  individuals  and  sets 
of  individuals.  The  reading  stations  for  these 
cards  can  be  controlled  in  a  manner  which 
permits  the  stations  to  be  selectively  operated 
by  specific  cards,  accepting  those  which  are 
authorized  and  excluding  those  which  are  not; 
also,  access  can  be  denied  to  cards  which  are 
“delisted”  (removed  from  the  authorization 
list).  A  list  of  cards  for  which  access  is  to  be 
denied  is  called  a  negative  list.  The  card  may 
include  a  picture  of  the  individual  for  use  in 
situations  where  visual  identification  is  em¬ 
ployed.  Various  technologies  for  embedding 
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coded  information  in  cards  are  being  used  or 
are  under  consideration,  such  as  the  embed¬ 
ding  of  patterns  of  magnetic  materials,  pat¬ 
terns  of  materials  which  can  be  sensed  by  infra¬ 
red  or  x-ray  l’adiation,  and  electronic  circuitry 
which  either  produces  or  responds  to  radio 
frequency  radiation.  There  may  be  provisions 
for  variable  data  which  can  be  altered  with 
each  use,  providing  a  degree  of  security  similar 
to  one-time  passwords. 

Techniques  such  as  encryption  and  scram¬ 
bling  may  be  used  in  connection  with  cards 
and  the  devices  that  read  them  in  order  to 
further  enhance  their  security  by  making  it 
difficult  to  read  or  interpret  the  data  contained 
on  them  and  to  protect  the  transmissions  be¬ 
tween  the  reading  device  and  the  system  being 
accessed.  (See  Section  6.5.)  If  the  card  is  to 
contain  an  image  that  would  normally  be  recog¬ 
nizable,  such  as  a  signature  or  picture,  this 
may  be  recorded  through  a  special  lens  sys¬ 
tem  which  creates  an  unrecognizably  scrambled 
image.  The  scrambled  image  can  only  be  read 
by  viewing  it  through  the  inverse  lens  system 
which  restores  it  to  its  original  form. 

The  problem  with  a  key  or  a  card  or  other 
artifact  is  that  it  could  fall  into  the  hands  of 
an  unauthorized  user  through  loss,  theft,  or 
other  means.  Therefore,  it  may  be  necessary  to 
provide  additional  methods  of  verification 
where  a  higher  level  of  security  is  required. 

2.3.  Something  ABOUT  an  Individual 

Because  of  the  vulnerability  of  other  meth¬ 
ods  of  identification  to  such  threats  as  theft 
and  duplication,  much  emphasis  is  presently 
being  focused  on  the  technology  of  personal 
identification  through  physiological  and  mor¬ 
phological  attributes  [10,  11].  Among  those 
which  are  in  use  or  under  consideration  are 
faces,  signatures,  fingerprints,  hand  geometry, 
voice-prints,  ear  features,  dental  characteris¬ 
tics,  prints  from  the  bottom  of  the  feet,  and  pat¬ 
terns  on  the  retina  of  the  eye.  Another  method 
obtains  a  dynamic  muscular-skeletal  response 
function  by  applying  a  mechanical  stimulus  at 
one  point  on  the  body  and  observing  the  re¬ 
sulting  signal  at  another.  The  use  of  attributes 
of  this  type  for  personal  identification  is  dis¬ 
cussed  in  the  next  section. 

3.  Personal  Identification  by  Means  of 
Physiological  Attributes 

Consideration  has  been  given  to  a  variety  of 
physiological  ati’ibutes  as  possible  bases  for 
personal  identifiaction,  as  listed  in  the  preced¬ 
ing  section. 

Because  of  various  limitations  and  draw¬ 


backs  in  the  current  state-of-the-art,  much  ef¬ 
fort  is  presently  being  expended  in  the  search 
for  an  ideal  choice  of  attribute  (s)  and  recogni¬ 
tion  technology.  A  key  consideration  is  the 
degree  of  intrapersonal  variation  versus  inter¬ 
personal  variation.  Intrapersonal  variations 
are  those  exhibited  by  a  given  attribute  for  a 
specific  individual  from  one  measurement  to 
the  next,  considering  various  influencing  fac¬ 
tors  including  the  passage  of  time.  Interper¬ 
sonal  variations  are  those  exhibited  from  one 
individual  to  another.  Intrapersonal  variations 
make  it  necessary  to  allow  tolerances  in  the 
recognition  process.  But,  as  these  tolerances 
are  made  larger,  the  likelihood  of  one  indi¬ 
vidual  being  able  to  impersonate  another  is 
increased,  which  could  raise  the  probability  of 
an  imposter  being  accepted. 

A  substantial  problem  in  the  use  of  physio¬ 
logical  attributes  is  the  difficulty  of  performing 
precise,  repeatable  measurements.  Because  of 
the  curvilinear  nature  of  the  body  surfaces 
and  the  plasticity  of  body  tissue,  it  is  diffi¬ 
cult  to  establish  accurate  reference  points  and 
good  registration  for  the  purpose  of  taking 
measurements  or  pattern  matching.  Finger¬ 
prints  are  highly  deformable,  depending  upon 
pressure  both  normal  and  tangential  to  the 
surface.  There  are  topological  relationships 
that  are  preserved  under  such  deformations, 
and  a  trained  analyst  can  pick  these  out,  but 
it  becomes  much  more  difficult  to  achieve 
machine  recognition  under  these  circumstances. 

Lack  of  precise  repeatability  is  characteris¬ 
tic  of  most  physiological  attributes  and  proc¬ 
esses,  including  handwriting  and  speaking.  This 
must  be  taken  into  account  in  testing  and 
evaluating  a  candidate  identification  system. 
In  performing  such  tests,  provision  should  be 
made  to  vary  all  factors  that  are  considered  to 
have  an  influence  on  the  attribute  (s)  being 
utilized. 

3.1.  Appearance 

People  are  most  frequently  identified  by  their 
faces,  and  this  method  of  identification  is  em¬ 
bodied  in  the  picture  pass  or  badge  which  bears 
a  black-and-white  or  color  photograph  of  the 
individual.  This  method  is  not  applicable  to 
remote  terminals  unless  the  terminals  are  kept 
in  areas  to  which  access  is  controlled  by 
guards  [16],  Equipment  is  available  for  trans¬ 
mitting  facial  images  by  means  of  closed- 
circuit  television  from  a  terminal  area  to  a 
manned  central  location  where  a  picture  file 
of  authorized  individuals  is  maintained.  An 
individual  to  be  identified  furnishes  his  claimed 
identity  and  presents  himself  to  the  television 
camera,  whereupon  a  file  image  is  retrieved 
and  compared  by  a  guard  with  his  “live” 
image  on  a  monitor  screen.  If  the  guard  is 
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convinced  that  these  images  are  alike,  the 
identity  is  considered  to  be  verified.  This  meth¬ 
od  is  constrained  by  the  need  for  a  high  band¬ 
width  channel  from  the  remote  site  to  the 
central  site,  in  order  to  convey  the  television 
images,  and  the  comparison  must  be  per¬ 
formed  by  a  human.  A  slow-scan  television 
system  might  be  used  to  lower  the  bandwidth 
requirement,  but  this  could  lengthen  the  time 
to  transmit  the  image  and  might  reduce  the 
resolution  of  the  image. 

3.2.  Signatures 

Signatures  are  frequently  used  as  one  method 
of  verifying  personal  identity  and  for  the 
authentication  of  documents.  While  handwrit¬ 
ing,  in  general,  tends  to  have  unique  charac¬ 
teristics  from  one  individual  to  another,  the 
signature  is  even  more  unique,  since  it  is  prac¬ 
ticed  frequently  over  a  lifetime,  often  becom¬ 
ing  highly  stylized.  Equipment  for  automati¬ 
cally  comparing  signatures  is  under  develop¬ 
ment  and  appears  promising  as  a  means  of 
personal  identification  [12].  While  it  would  be 
possible  to  develop  equipment  for  comparing 
completed  signatures  as  static  patterns,  this 
would  be  vulnerable  to  deceit,  either  through 
forgery  or  the  entry  of  a  copy  of  the  signature. 
A  more  promising  approach  is  to  make  use  of 
an  instrumented  stylus  which  senses  the  dy¬ 
namic  motions  (velocity,  acceleration,  pres¬ 
sure)  which  occur  during  the  actual  signing 
process.  These  motions  are  highly  characteris¬ 
tic  of  the  individual  and  would  be  extremely 
difficult  for  an  imposter  to  perceive  or  dupli¬ 
cate.  It  appears  that  sufficient1  information  for 
the  identification  process  can  be  obtained  by 
extracting  as  little  as  a  few  dozen  samples  dur¬ 
ing  the  signing  process.  A  typical  signature 
takes  4  to  5  seconds ;  to  this  must  be  added  the 
time  to  pick  up  the  stylus  and  respond  to  a 
starting  signal,  and  the  time  for  the  device  to 
determine  that  the  signature  is  completed.  This 
extends  the  signing  process  to  about  8  seconds. 
This  data  rate  is  sufficiently  moderate  to  per¬ 
mit  transmission  to  a  central  location  where 
the  matching  process  can  be  performed  using 
a  reference  signature  profile  obtained  from  a 
central  file.  Note  that  the  identification  process 
simply  consists  of  matching  the  profile  of  the 
“live”  signature  with  the  reference  profile  ob¬ 
tained  from  storage ;  it  is  not  necessary  to 
recognize  the  individual  letters  making  up  the 
signature  (which  would  frequently  be  impos¬ 
sible).  In  using  this  method  of  personal  identi¬ 
fication,  the  individual  would  enter  a  claimed 
identity  (and  such  other  information  as  might 
be  required)  and  then  sign  his  name,  using 
the  instrumented  stylus  or  tablet.  The  claimed 
identity  would  be  used  to  retrieve  from  storage 


the  reference  profile  to  be  compared  against 
the  profile  of  his  “live”  signature.  If  they 
matched  to  within  some  tolerance,  his  identity 
would  be  considered  to  be  verified. 

In  principle,  other  words  could  be  selected 
in  lieu  of  the  signature,  and  profiles  of  these 
words  could  be  placed  in  storage  for  matching 
purposes.  However,  there  are  unique  qualities 
in  the  way  a  signature  is  written,  having  the 
nature  of  a  conditioned  reflex,  which  cause  it 
to  be  preferable  to  ordinary  handwriting  for 
identification  purposes. 

3.3.  Fingerprints 

The  use  of  fingerprints  is  one  of  the  most 
well-established  systems  of  personal  identifica¬ 
tion  currently  in  use  [6],  However,  fingerprints 
are  not  generally  used  for  real-time  applications 
because  of  the  time  and  effort  consumed  in  ob¬ 
taining  good  images  which  are  easy  to  view 
and  because  of  the  training  needed  for  making 
comparisons.  Much  effort  is  being  expended  to 
overcome  these  difficulties,  and  terminal- 
oriented  recognition  systems  based  on  finger¬ 
prints  are  beginning  to  emerge. 

Two  basic  approaches  are  being  pursued  in 
automating  the  matching  of  fingerprints.  One 
method  consists  of  a  direct  optical  comparison 
between  the  “search”  print  (the  print  being 
entered)  and  the  file  prints.  In  the  other 
method,  the  search  print  is  scanned  and  a  list 
of  significant  detailed  features  (“minutiae”) 
is  compiled  in  digital  form.  This  list  may  then 
be  compared  with  a  similar  list  for  the  file 
print  [13]. 

In  a  personal  recognition  device  using  the 
direct  optical  comparison  method,  the  com¬ 
parison  process  must  be  carried  out  locally 
within  the  recognition  device,  since  it  is  not 
practical  to  transmit  the  fingerprint  image  over 
a  distance.  One  way  of  obtaining  the  two 
images  to  be  compared  is  to  have  a  card  con¬ 
taining  the  file  copy  of  the  fingerprint  entered 
into  the  device  along  with  a  card  containing  a 
fi’esh  print  of  the  corresponding  finger.  Sensi¬ 
tized  material  is  available  for  producing  a 
visible  image  from  a  fingerprint  directly,  with¬ 
out  the  need  for  inking  of  the  finger.  Alterna¬ 
tively,  the  user  might  key  in  identifying  in¬ 
formation  which  would  cause  the  file  print  to 
be  retreived  from  an  internal  file  and  posi¬ 
tioned  in  the  recognition  device.  He  could  then 
enter  a  card  containing  his  fingerprint  to  be 
compared  with  the  file  print.  Within  the  device, 
the  images  of  the  search  print  and  the  file 
print  are  compared  using  optical  correlation, 
and  an  output  signal  is  produced  signifying 
the  degree  of  match  obtained.  Since  it  is  diffi¬ 
cult  to  establish  a  precise  reference  for  align¬ 
ing  fingerprints,  the  device  will  generally  in- 
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elude  a  means  for  rotating  one  of  the  images 
slightly  in  order  to  allow  for  misorientation. 
Experimental  work  with  holographs  is  being 
carried  out  for  use  in  fingerprint  matching 
systems. 

In  the  digital  comparison  method,  the  per¬ 
son  keys  in  identifying  information  which 
causes  the  minutia  list  for  his  fingerprint  to  be 
retrieved  from  a  file  at  a  central  location.  He 
then  places  the  corresponding  finger  on  an 
optical  window  and  a  scanning  process  is  per¬ 
formed  to  develop  a  search  minutia  list  from 
the  “live”  print.  The  search  minutia  list,  which 
requires  only  a  moderate  amount  of  data,  is 
sent  to  the  central  location,  where  a  comparison 
is  carried  out  between  the  search  minutia  list 
and  the  file  minutia  list,  using  special  algo¬ 
rithms  for  this  purpose.  Because  of  alignment 
problems  and  the  plasticity  of  the  finger,  it  is 
generally  not  possible  to  get  an  exact  match, 
but  the  comparison  process  develops  a  score 
which  indicates  the  likelihood  that  the  two 
prints  are  the  same.  The  central  system  may 
have  minutia  lists  on  file  for  more  than  one 
fingerprint  for  a  given  individual,  in  order  to 
allow  for  the  possibility  that  the  first  finger  to 
be  tried  might  not  be  scanned  properly  for 
some  reason  such  as  an  injury. 


3.4.  Hand  Geometry 

The  shape  of  an  individual’s  hand  has  been 
found  to  exhibit  sufficient  interpersonal  vari¬ 
ability  to  serve  as  a  basis  for  personal  identi¬ 
fication.  Equipment  has  been  developed  which 
senses  the  lengths  of  the  fingers,  translucency 
of  the  web  between  the  fingers,  and  curvature 
of  the  finger  tips.  In  a  commercial  device  for 
this  purpose,  the  individual  to  be  identified 
carries  a  card  with  identifying  information 
plus  the  data  representing  the  profile  of  his 
hand  measurements.  The  data  is  represented 
in  scrambled  form.  He  inserts  the  card  into  the 
recognition  device  and  then  positions  his  hand 
upon  the  sensing  area.  The  finger  measure¬ 
ments  are  then  derived  from  his  hand  and 
compared  with  the  data  read  from  the  card. 
If  a  match  is  obtained,  his  identity  is  con¬ 
sidered  to  be  verified.  This  complete  process 
can  be  done  in  less  than  three  seconds.  Alter¬ 
natively,  the  profile  data  may  be  stored  cen¬ 
trally.  In  this  case,  the  individual  first  supplies 
identifying  information  to  the  system  and  then 
positions  his  hand  upon  the  sensing  area.  The 
finger  measurements  are  then  transmitted  to 
the  central  location  for  comparison  with  the 
profile  data.  The  system  can  then  respond  ap¬ 
propriately,  based  upon  whether  or  not  a  match 
is  obtained. 


3.5.  Voiceprints 

Patterns  of  spoken  words  have  been  found 
to  exhibit  characteristics  which  are  sufficiently 
unique  to  serve  as  a  basis  for  personal  identi¬ 
fication.  Graphical  images  of  spoken  words 
may  be  formed  by  means  of  equipment  which 
plots  energy  at  different  frequencies  as  a  func¬ 
tion  of  time.  The  resulting  patterns  are  called 
voiceprints  and  have  been  studied  extensively. 
Expert  analysts  are  required  to  compare  one 
voiceprint  with  another.  Waveforms  of  spoken 
works  may  be  digitized  and  fed  into  a  com¬ 
puter  for  analysis  and  comparison.  Develop¬ 
ment  work  of  this  type  is  being  actively  pur¬ 
sued  as  a  means  of  enabling  spoken  data  to  be 
entered  directly  into  computer.  Development 
work  is  also  proceeding  on  equipment  for  auto¬ 
matic  speaker  verification  [5].  The  use  of 
speech  as  a  method  of  personal  identification 
is  attractive  because  speech  can  readily  be 
transmitted  over  long  distances  by  telephone, 
enabling  the  recognition  equipment  to  be  at  a 
central  location.  Transmission  by  telephone  has 
a  significant  effect  upon  speech  waveforms, 
although  there  are  certain  features  which  tend 
to  remain  invariant  or  to  change  in  a  predict¬ 
able  manner.  Voice  characteristics  can  be  in¬ 
fluenced  by  an  individual’s  health,  emotional 
stress,  and  other  factors,  which  might  inter¬ 
fere  with  the  recognition  process. 


3.6.  Other  Attributes 

The  attributes  considered  thus  far  are  the 
ones  which  currently  appear  to  offer  the  most 
promise  for  application  to  remote  personal 
identification.  Those  attributes  listed  in  Section 
2.3  which  have  not  been  discussed  are  felt  to 
be  either  less  developed,  less  convenient  to  use, 
or  less  promising  for  remote  application.  It 
should  be  noted  that  this  is  a  very  active  field, 
because  of  the  current  emphasis  on  security, 
and  that  the  relative  merits  of  competing 
methods  may  shift  as  developments  proceed. 

4.  The  Accept  /  Reject  Decision 

Devices  for  personal  identification  based  upon 
physiological  attributes  generally  operate  in  the 
following  manner: 

(1)  The  would-be  entrant  or  user  instructs 
the  device  as  to  who  he  purports  to  be.  He  may 
do  this  by  keying  in  his  name  or  a  personal  ID 
number  or  other  identifier.  Or,  he  may  insert 
an  artifact,  such  as  a  magnetic  striped  card 
having  such  information. 

(2)  The  device  then  prepares  to  verify  the 
claimed  identity.  This  will  be  done  by  compar- 
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ing  a  reference  profile  of  the  physiological 
attribute  for  that  individual  with  the  meas¬ 
ured  profile  of  the  attribute  as  derived  from 
the  individual.  Depending  upon  the  device  and 
the  application,  the  reference  profile  may  be 
obtained  from  a  central  file,  it  may  be  obtained 
from  a  local  file  in  the  device,  or  it  may  be  read 
from  an  artifact  supplied  by  the  individual.  An 
alternate  method  is  to  measure  the  attribute 
and  send  the  measured  profile  to  a  central 
location  for  comparison  with  the  reference 
profile. 

(3)  The  measured  profile  is  compared  with 
the  reference  profile  and  the  degree  of  corre¬ 
lation  is  obtained.  This  generally  results  in  an 
output  signal  from  a  comparator  having  a  value 
lying  between  some  minimum  and  maximum 
value. 

(4)  The  resulting  value  is  compared  with  a 
preset  threshold  which  results  in  a  binary  de¬ 
cision  to  accept  or  reject  the  individual. 

Due  to  the  compromises  which  arise  in  realiz¬ 
able  recognition  devices,  the  decision  process  is 
generally  subject  to  some  degree  of  imperfec¬ 
tion  and  this  can  manifest  itself  in  two  forms: 

Type  I  errors:  rejection  of  an  authorized 

individual ;  this  is  quantified  as  the  False 

Alarm  Rate  (FAR). 

Type  II  errors:  acceptance  of  an  imposter; 

this  is  quantified  as  the  Imposter  Pass  Rate 

(IPR). 

In  statistical  treatments,  the  probabilities 
associated  with  Type  I  and  Type  II  errors  are 
usually  designated  «  and  /?,  respectively  [21]. 

4.1.  Determination  of  False  Alarm  Rate 
(FAR) 

The  FAR  indicates  the  degree  to  which  the 
identification  device  fails  to  recognize  author¬ 
ized  individuals.  A  FAR  of  2  percent  would 
indicate  that  authorized  individuals  would  be 
rejected  in  two  attempts  out  of  100  (on  the 
average)  ;  that  is,  the  device  would  generate  a 
“false  alarm,”  implying  that  the  individual  is 
an  imposter  when  in  fact  he  is  not.  The  method 
of  determining  the  FAR  for  an  identification 
device  is  to  select  a  population,  enlist  the  mem¬ 
bers  of  this  population  as  authorized  individ¬ 
uals,  train  them  in  the  operation  of  the  device, 
and  then  carry  out  a  planned  test  in  which  each 
member  attempts  to  identify  himself  through 
the  device  one  or  more  times.  For  each  attempt, 
the  response  of  the  device  is  noted,  namely 
whether  the  individual  was  accepted  or  re¬ 
jected.  It  is  also  extremely  valuable  to  record 
the  value  of  the  comparator  signal  produced 


within  the  device,  if  it  is  available,  in  order 
to  have  a  quantitative  indication  of  the  mar¬ 
gin  by  which  the  decision  threshold  is  ex¬ 
ceeded.  (See  Figure  1) 

The  FAR  is  calculated  from  the  test  ob¬ 
servations  as  follows: 

FAR  =  (Number  of  False  Rejects)  divided 

by  (Total  Number  of  Identification  Attempts 

for  Authorized  Persons) 

The  size  of  the  population  and  the  number 
of  trials  per  individual  would  be  based  upon 
the  degree  of  confidence  desired  in  the  deter¬ 
mination  of  the  FAR.  Statistical  techniques 
are  available  for  the  design  of  experiments 
of  this  type.  [15].  The  FAR  may  be  found  to 
vary  from  one  individual  to  another  in  a  given 
population ;  that  is,  certain  individuals  may  ex¬ 
hibit  higher  FARs  than  the  population  as  a 
whole,  indicating  that  these  individuals  are 
less  consistent  with  regard  to  the  attribute 
used  for  verification. 

The  design  of  a  test  for  determining  the 
FAR  of  a  particular  device  should  take  into 
consideration  any  variable  factors  which  might 
influence  the  performance  of  the  device,  such  as 
an  individual’s  physical  state  (rested,  tired), 
the  effects  of  exertion,  emotional  stress, 
whether  before  or  after  meals,  time  of  day, 
room  temperature  and  humidity.  A  knowledge 
of  the  principles  of  operation  of  the  specific 
device  would  be  important  in  deciding  what 
factors  might  influence  its  operation. 

As  discussed  previously,  there  are  various 
considerations  which  cause  the  operation  of 
identification  devices  to  be  less  than  ideal  (in¬ 
trapersonal  variation,  deformability  of  tissue, 
etc.).  This  means  that  an  authorized  individual 
may  occasionally  be  rejected  on  any  given  at¬ 
tempt.  The  probability  of  this  is  expressed  by 
the  FAR.  This  shortcoming  can  be  offset  by 
allowing  the  individual  to  repeat  the  identifi¬ 
cation  attempt.  The  number  of  such  attempts 
should  generally  be  limited  to  a  low  value,  such 
as  three,  in  order  to  prevent  an  imposter  from 
trying  to  thwart  the  device  through  some 
repetitive  form  of  deceit.  The  FAR  gives  an 
indication  of  the  number  of  occasions  on  which 
multiple  attempts  would  be  required.  With  a 
FAR  of  5  percent,  an  authorized  individual 
would  be  rejected  once  out  of  every  20  at¬ 
tempts,  on  the  average.  However,  by  making 
further  attempts  he  should  be  correctly  recog¬ 
nized.  Some  test  data  indicates  that  an  indi¬ 
vidual  may  occasionally  be  found  to  have  de¬ 
viated  beyond  the  tolerance  for  acceptance. 
In  such  cases  it  may  be  necessary  to  re-enroll 
the  individual. 

In  evaluating  the  performance  of  an  identi¬ 
fication  device  it  is  helpful  to  plot  the  test  data 
as  shown  in  Figure  1. 
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FIGURE  1 

PLOT  OF  EXPERIMENTAL  DATA  OBTAINED  IN 
CONDUCTING  THE  TEST  FOR  FALSE  ALARM  RATE  (FAR) 


4.2.  Determination  of  Imposter  Pass  Rate 

(IPR) 

The  IPR  indicates  the  degree  to  which  the 
identification  device  fails  to  reject  imposters. 
An  IPR  of  3  percent  would  indicate  that,  on 
the  average,  imposters  would  be  accepted  in 
three  attempts  out  of  100. 

The  IPR  is  intended  to  reflect  only  those 
situations  in  which  the  acceptance  of  an  im¬ 
poster  is  coincidental;  that  is,  the  imposter 
makes  no  active  effort  at  deceit,  other  than  to 
falsely  claim  to  be  an  authorized  individual.  It 
should  be  evident  that,  with  sufficient  ingenu¬ 
ity  and  effort  on  the  part  of  the  imposter,  a 
substantially  higher  IPR  might  be  achieved. 
This  is  considered  further  in  the  discussion  of 
evaluation  criteria.  The  method  of  determining 
the  IPR  for  an  identification  device  is  to  select 
a  population,  train  the  members  of  this  popu¬ 
lation  in  the  operation  of  the  device,  and  then 
carry  out  a  planned  test  in  which  each  mem¬ 
ber  attempts  to  identify  himself  to  the  device 
one  or  more  times,  while  purporting  to  be  an 
authorized  user  (other  than  himself).  The 
sample  population  chosen  for  this  test  may  in¬ 
clude  individuals  who  have  established  author¬ 
ized  identities  with  the  device ;  however,  for 
this  test  they  attempt  to  impersonate  author¬ 
ized  individuals  other  than  themselves.  For 
each  attempt,  the  response  of  the  device  is 
noted,  namely  whether  the  individual  was  ac¬ 
cepted  or  rejected.  It  is  also  very  valuable,  as 
with  the  FAR  test,  to  record  the  comparator 
signal  produced  within  the  device. 

The  IPR  is  calculated  from  the  test  observa¬ 
tions  as  follows: 

IPR  —  (Number  of  False  Acceptances)  di¬ 
vided  by  (Total  Number  of  Identification  At¬ 
tempts  for  Imposters) 


As  with  the  FAR  test,  the  size  of  the  popu¬ 
lation  and  the  number  of  trials  per  individual 
would  be  based  upon  the  degree  of  confidence 
desired  in  the  determination  of  the  IPR  [15]. 
Again,  any  variable  factors  which  might  in¬ 
fluence  the  performance  of  the  device  should 
be  taken  into  consideration  in  the  design  of 
the  test. 

In  evaluating  the  results  of  this  test,  it  is 
helpful  to  plot  the  test  data  as  shown  in  Figure 
2. 


FIGURE  2 

PLOT  OF  EXPERIMENTAL  DATA  OBTAINED 
IN  CONDUCTING  THE  TEST  FOR  IMPOSTER 
PASS  RATE  (IPR) 

The  FAR  data  and  the  IPR  data  are  gener¬ 
ally  plotted  on  the  same  graph,  as  shown  in 
Figure  3. 


4.3.  Combined  Test  for  FAR  and  IPR 

In  practice,  it  is  more  practical  to  employ  a 
single  composite  test  design  for  determining 
the  FAR  and  the  IPR,  rather  than  testing  for 
them  separately.  In  order  to  keep  the  statistics 
unbiased,  the  observers  should  be  unaware  of 
whether  a  particular  attempt  is  being  made  by 
an  authorized  individual  or  an  imposter. 

The  preferred  performance  of  an  identifica¬ 
tion  device  would  be  such  that  the  regions 
portrayed  in  Figure  3  were  clearly  separated 
as  in  Figure  4.  This  performance  data  exhibits 
a  region  in  which  the  comparator  signal  never 
occurs;  by  adjusting  the  decision  threshold 
to  lie  within  this  region,  the  FAR  and  IPR 
could  both  be  reduced  to  zero.  The  device  would 
then  accept  all  authorized  persons  and  reject 
all  imposters. 
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FIGURE  3 

FAR  DATA  &  IPR  DATA  PLOTTED  ON  SAME  GRAPH 
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COMPROMISE 
THRESHOLD, 
FAR—  IPR -3  % 


FIGURE  5 

TYPICAL  PERFORMANCE  OF  A  REALIZABLE 
IDENTIFICATION  DEVICE 


In  practically  realizable  identification  de¬ 
vices,  a  certain  amount  of  overlap  is  generally 
encountered,  as  shown  in  Figure  5. 

In  such  cases,  the  setting  of  the  decision 
threshold  must  be  a  compromise.  If  one  of  the 
factors  is  of  greater  concern  than  the  other,  the 
threshold  can  be  adjusted  to  reflect  this.  For 
example,  if  rejection  of  imposters  is  the  main 
objective,  a  higher  threshold  setting  can  be 
used,  reducing  the  IPR  to  zero  but  increasing 
the  FAR.  Another  possibility  is  to  establish 
two  thresholds  for  the  comparator  output,  to 
be  interpreted  as  follows :  If  the  high  threshold 
is  exceeded,  it  is  certain  that  the  individual  is 
authorized ;  if  the  output  is  below  the  low 
threshold,  it  is  certain  that  the  individual  is 
an  imposter ;  if  the  output  is  between  the  two 
thresholds,  an  uncertainty  exists  and  an  alter¬ 
native  procedure  should  be  invoked  to  verify 
the  identity. 


4.4.  Effect  on  FAR  and  IPR  of  Allowing 
Multiple  Attempts 

Where  a  personal  identification  system  ex¬ 
hibits  a  nonzero  FAR  value,  it  is  generally 


necessary  to  allow  an  individual  more  than  one 
attempt  to  verify  his  identity.  However,  it 
should  be  noted  that  the  effective  FAR  and 
IPR  values  are  significantly  affected  by  allow¬ 
ing  multiple  attempts.  Consider  a  system  with 
a  basic  FAR  of  3  percent  and  an  IPR  of  2 
percent.  On  the  basis  of  single  attempts, 
authorized  individuals  would  be  rejected  3 
percent  of  the  time.  By  allowing  a  second  at¬ 
tempt,  the  probability  of  being  rejected  twice 
would  be  0.03  X  0.03  or  0.0009,  or  less  than 
once  in  a  thousand.  (This  assumes  that  the 
performance  of  the  device  is  statistically  inde¬ 
pendent  for  each  attempt.  In  practice,  it  may 
be  found  that  some  individuals  experience  more 
difficulty  than  others,  so  the  effective  FAR 
improvement  might  not  be  quite  as  great  as 
indicated.)  In  order  to  realize  this  enhance¬ 
ment  of  the  FAR,  it  must  be  assumed  that  the 
individual  will  be  accepted  if  he  is  successfully 
verified  on  either  attempt.  Applying  this  rule, 
the  IPR  would  increase  in  proportion  to  the 
number  of  attempts  allowed.  Assuming  the 
performance  of  the  device  to  be  statistically 
independent  for  each  attempt,  a  basic  IPR  of 
2  percent  would  become  approximately  4  per¬ 
cent  for  two  attepipts,  6  percent  for  three  at- 
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tempts,  and  so  one.  (If  p  is  the  probability  of 
an  imposter  being  accepted  in  a  single  attempt, 
the  probability  of  his  being  accepted  at  least 
once  in  n  attempts  is  1  (1  —  p)",  which  for 

small  values  of  p  is  approximately  proportional 
proportional  to  the  number  of  attempts.)  There¬ 
fore,  if  multiple  attempts  must  be  allowed  in 
order  to  realize  an  acceptably  low  effective  FAR, 
then  a  correspondingly  lower  basic  IPR  will 
be  required  in  order  to  keep  the  effective  IPR 
with  multiple  attempts  from  becoming  excess¬ 
ive. 

4.5.  Combining  of  Personal  Identification 
Methods 

The  accuracy  of  the  personal  identification 
process  may  be  enhanced  by  combining  two  or 
more  methods,  rather  than  relying  on  a  single 
method.  However,  attention  must  be  given  to 
the  decision  rules  which  are  used  in  combining 
the  results  of  the  separate  methods.  Various 
alternatives  are  shown  in  Table  1,  in  which  two 
identification  methods  are  employed  jointly. 
Method  1  is  assumed  to  have  FAR,  =  5  per¬ 
cent  and  IPR,  =  8  percent.  Method  2  is  as¬ 
sumed  to  have  FAR...  =  7  percent  and  IPR2  =  12 
percent.  It  is  assumed  that  the  methods  are 
statistically  independent  of  each  other  in  their 
performance. 


Consider  Alternative  A  of  Table  Cl.  This  rule 
states  that  the  individual  is  to  be  accepted  only 
if  he  is  accepted  by  both  Method  1  and  Method 
2.  This  has  the  effect  of  strengthening  the  re¬ 
jection  of  imposters,  resulting  in  a  joint  IPR 
which  is  the  product  of  IPR,  and  IPR2 ;  IPR  = 

A 

0.96  percent.  However,  the  likelihood  of  an 
authorized  individual  being  ejected  is  now 
gerater  than  for  either  method  alone,  the  joint 
FAR  being  approximately  the  sum  of  the  FARs 
for  the  separate  methods:  FAR  =  12  percent. 

A 

Statistical  independence  is  a  reasonable  as¬ 
sumption  in  this  case. 

Under  Alternative  B,  the  individual  is  to  be 
rejected  only  if  he  is  rejected  by  both  Method 
1  and  Method  2.  This  cuts  down  on  false  alarms 
at  the  expense  of  increasing  the  acceptance  of 
imposters.  Under  this  alternative,  FARg  is 

0.35  percent  while  IPR  is  about  20/19  percent. 

B 

It  is  possible  to  realize  improvements  in  both 
the  FAR  and  IPR  by  establishing  the  rule  that 
an  individual  will  be  accepted  or  rejected  only 
if  both  systems  are  in  agreement,  as  shown  in 
Alternative  C.  In  this  case,  different  identifica- 
ion  procedures  are  to  be  invoked  for  situations 
in  which  the  two  methods  give  contradictory 
results.  Under  Alternative  C,  if  an  individual 
experiences  a  contradictory  result  (as  indi- 


Table  1 


Method  1 

Method  2 

Alternative  Decision  Rules 

FAR,  =  5% 

FAR  =  7% 

Alternative 

Alternative 

Alternative 

IPRi  =8% 

IPR-  r=  12% 

A 

B 

C 

Response 

Response 

Decision 

Decision 

Decision 

Accept 

Accept 

Accept 

Accept 

Accept 

Accept 

Reject 

Re  j  ect 

Accept 

❖ 

Reject 

Accept 

Reject 

Accept 

❖ 

Reject 

Reject 

Reject 

Reject 

Reject 

Effective  Values  for  Combined  Systems 

FAR 

=  12% 

FAR  = 

=  0.35% 

FAR 

=  0.35% 

A 

B 

c 

IPR 

=  0.96% 

IPR 

-=  19% 

IPR 

=  0.96% 

A 

B 

c 

*  Resort  to  a  different 
verification  procedure. 


fara  =  0.05  +  0.07  -  (0.05  x  .07)  =  0.1165  =  12 % 
IPRa  0.08  X  0.12  r=  0.0096  =  0.96% 

FAR  _  o.05  X  0.07  =  0.0035  =  0.35% 

D 

IPR  =  0.08  +  0.12  -  (0.08  X  0.12)  =  0.1904  =  19% 

D 

FARc  =  0.05  X  0.07  =  0.0035  =  0.35% 

IPR  =  0.08  X  0.12  =  0.0096  =  0.96% 

C 
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cated  by  an  *  on  the  Table)  this  should  not  be 
construed  as  a  false  alarm  but  simply  as  an 
indication  of  the  need  for  further  substantia¬ 
tion.  Considered  in  this  light,  FARc  is  0.35 

percent  and  IPRc  is  0.96  percent. 


5.  Evaluation  Criteria 

There  are  several  factors  to  be  considered  in 
evaluating  personal  identification  systems  for 
a  particular  application.  In  addition  to  the  FAR 
and  IPR  discussed  in  the  previous  section,  the 
following  factors  should  be  considered : 

(1)  Resistance  to  deceit 

(2)  Ease  of  counterfeiting  an  artifact 

(3)  Susceptibility  to  circumvention 

(4)  Time  to  achieve  recognition 

(5)  Convenience  to  user 

(6)  Cost  of  recognition  device  and  of  its  use 

(7)  Interfacing  of  device  for  intended  pur¬ 
pose 

(8)  Time  and  effort  involved  in  updating 
(adding  and  deleting  users,  issuing  new  pass¬ 
words,  keys,  changing  combinations). 

(9)  Processing  required  in  computer  system 
to  support  identification  process. 

(10)  Reliability  and  Maintainability 

(11)  Cost  of  protecting  the  device. 

(12)  Cost  of  distribution  and  logistical  sup¬ 
port. 

These  factors  will  be  discussed  in  the  para¬ 
graphs  which  follow,  the  intent  being  to  provide 
guidance  on  collecting  and  assessing  informa¬ 
tion  on  specific  personal  identification  systems. 
The  evaluation  of  any  given  device  should  cen¬ 
ter  on  the  experimental  or  analytic  determina¬ 
tion  of  these  parameters. 


5.1  Resistance  to  Deceit 

The  IPR  indicates  the  extent  to  which  a 
recognition  device  might  allow  acceptance  of 
an  imposter  who  was  simply  purporting  to  be 


an  authorized  individual.  It  is  not  intended  to 
reflect  cases  in  which  an  active  effort  at  deceit 
is  attempted.  Such  efforts  might  include  at¬ 
tempts  to  mimic  another  person’s  voice,  forge 
a  signature,  use  a  hand-shaped  template,  etc. 
It  should  be  evident  that  any  recognition  device 
might  be  vulnerable  to  deceit  by  a  sufficiently 
authentic-looking  entity  embodying  a  contrived 
set  of  input  characteristics.  Resistance  to  deceit 
would  depend  on  the  difficulty  required  to  syn¬ 
thesize  an  entity  having  the  necessary  set  of 
characterictics. 


5.2  Counterfeiting  of  Artifacts 

Recognition  techniques  which  rely  on  arti¬ 
facts,  such  as  a  key  or  plastic  card,  are  vulner¬ 
able  to  being  deceived  by  a  counterfeit  copy 
of  the  artifact.  Here,  the  vulnerability  is 
related  to  the  uniqueness  of  the  artifact.  An 
artifact  requiring  very  specialized  and  sop¬ 
histicated  equipment  to  produce,  together  with 
its  encoded  information,  should  be  correspond¬ 
ingly  difficult  to  counterfeit.  It  should  be  noted, 
however,  that  it  may  be  possible  to  copy  an 
artifact  much  more  readily  than  to  reproduce 
it  by  the  original  method.  For  example,  some 
holographs  can  be  copied  by  contact  printing, 
without  the  need  for  a  complex  optical  system 
or  coherent  light  source.  A  further  precaution 
should  be  noted  with  regard  to  ease  of  altera¬ 
tion.  An  artifact  which  might  be  difficult  to 
produce  initially  might  nevertheless  be  altered 
with  less  difficult,  thereby  allowing  updating  of 
a  discarded  or  stolen  artifact,  or  allowing  an 
individual  with  a  limited  degree  of  access  to 
masquerade  as  someone  at  a  higher  level.  For 
example,  assume  that  a  card  uses  punched 
holes  to  establish  the  level  of  access.  An  un¬ 
authorized  person  might  be  able  to  plug  some 
holes  or  to  punch  or  file  additional  holes  to  gain 
access  to  a  level  other  than  the  one  authorized. 


5.3  Susceptibility  to  Circumvention 

Aside  from  deceiving  a  recognition  device  by 
some  artificial  means,  consideration  should  be 
given  to  the  ease  with  which  the  device  might 
be  circumvented  altogether,  without  the  need 
for  deceiving  the  recognition  logic.  If  the  device 
has  an  output  wire  which  carries  the  pass/ 
reject  signal,  an  obvious  step  would  be  to  tap 
into  this  wire  and  inject  a  false  pass  signal. 
Other  more  subtle  measures  might  be  applied, 
depending  on  the  manner  in  which  the  device 
operates  and  the  way  in  which  it  functions  in  a 
system.  It  is  evident  that  appropriate  precau¬ 
tions  must  be  taken  to  guard  against  such  cir¬ 
cumvention.  One  such  precaution  is  the  use  of 
encryption,  which  is  discussed  in  Section  6.5. 
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5.4  Time  to  Achieve  Recognition 

Different  recognition  schemes  may  require 
differing  amounts  of  time  to  carry  out  the 
recognition  process  and  arrive  at  a  decision. 
This  time  is  made  up  of  the  time  required  to 
actuate  the  device,  which  may  involve  keying 
in  some  data,  such  as  a  combanation,  password, 
or  personal  identifier,  the  time  for  biometric 
sensing  to  take  place,  the  time  to  manipulate 
an  artifact,  the  time  for  a  file  retrieval  to  be 
carried  out,  the  time  for  processing  to  occur, 
such  as  a  correlation,  the  time  for  communica¬ 
tion  with  a  central  facility,  and  finally  the  time 
to  effect  the  acceptance  or  rejection.  It  may  be 
necessary  to  allow  for  more  than  one  trial, 
which  further  increases  the  time.  In  a  system 
utilizing  hand-written  signatures,  about  4  to  5 
seconds  is  required  for  the  signature  itself ; 
people  are  often  not  aware  that  it  takes  this 
long  to  sign  their  names.  Systems  which  must 
be  used  frequently  such  as  those  needed  to  re¬ 
verify  authorization  for  multiple  accesses,  may 
have  to  work  quite  rapidly,  although  this  speed 
requirement  may  not  be  compatible  with  the 
achievement  of  a  high  degree  of  certainty. 
User  impatience  with  even  moderate  incon¬ 
venience  imposed  by  security  devices  is  well 
known,  leading  to  such  subterfuges  as  latches 
being  taped  and  doors  being  propped  open. 

5.5  Convenience  to  User 

For  a  personal  identification  system  to  gain 
acceptance,  it  must  be  reasonably  convenient 
to  the  user;  otherwise  it  would  be  regarded  as 
an  impediment  and  may  even  be  circumvented 
by  the  user  as  suggested  earlier  [20].  For 
example,  it  should  be  evident  that  a  system 
requiring  inked  fingerprint  impressions  for 
each  recognition  would  be  objectionable.  How¬ 
ever,  an  acceptable  fingerprint  impression  for 
optical  scanning  can  be  obtained  by  placing  the 
finger  on  the  surface  of  a  prism  which  is 
arranged  to  exploit  the  principle  of  frustrated 
total  internal  reflection. 

Related  to  convenience  is  the  ease  of  learning 
to  actuate  the  recognition  scheme,  including 
data  to  be  memorized  such  as  passwords  and 
combinations.  The  possibility  for  human  error 
must  be  recognized  and  provisions  made  for 
starting  over  and  repeating  the  process.  These 
provisions  should  be  limited,  however,  in  order 
to  deny  an  imposter  the  opportunity  to  gain 
acceptance  through  trial  and  error.  Devices 
which  depend  on  the  actuation  of  buttons  or 
keys  in  a  coded  sequence  should  be  shielded  so 
that  a  would-be  imposter  could  not  learn  the 
sequence  by  observation. 

A  provision  that  can  be  included  is  a  “time 
penalty”,  in  which  the  recognition  device  is  held 


off  for  a  time  interval  after  an  unsuccessful 
identification  attempt,  in  order  to  impede 
efforts  to  gain  access  by  trial  and  error,  es¬ 
pecially  by  automated  means.  Also,  an  alarm 
indication  can  be  generated  when  erroneous 
identification  attempts  are  made,  in  order  to 
call  attention  to  possible  intrusion  attempts 
by  an  imposter. 

5.6  Cost  of  Recognition  Device 

Some  recognition  devices  are  self-contained 
and  can  be  used  singly,  while  others  require 
sophisticated  support  functions  which  are  best 
performed  centrally  and  shared  among  a  num¬ 
ber  of  devices.  The  support  functions  might  re¬ 
quire  a  specialized  dedicated  system,  or  they 
might  be  programmable  on  a  general-purpose 
machine,  in  which  case  they  could  utilize  a  frac¬ 
tion  of  the  processing  capability  of  the  system 
for  which  access  protection  is  being  provided. 
In  any  event,  there  will  be  a  cost  for  each  recog¬ 
nition  device  as  installed  at  the  points  where 
identification  is  to  be  established,  and  there 
may  be  additional  costs  for  centralized  support¬ 
ing  equipment. 

5.7  Interfacing  of  Device  for  Intended  Purpose 

The  recognition  device  might  be  used  for 
controlling  access  to  an  area  or  it  might  be 
used  for  controlling  the  use  of  equipment  such 
as  a  terminal  or  operator’s  console.  The  recog¬ 
nition  device  must  be  suitably  interfaced  for 
the  intended  purpose  and  this  may  place  certain 
constraints  on  the  choice  of  device.  The  device 
should  be  interfaced  in  a  manner  which  meets 
system  requirements  and  which  prevents  the 
device  from  being  disabled  or  circumvented. 
The  installation  should  be  tamper-proof,  which 
involves  physical  integrity  plus  the  use  of  alarm 
sensors  which  would  be  activated  by  attempts 
at  circumvention.  The  device  might  be  used 
for  enabling  local  equipment  and  might  also  be 
tied  to  a  central  system  which  monitors  its 
operation  and  which  may  provide  support  for 
the  recognition  process.  The  device  may  pro¬ 
vide  only  a  part  of  the  acceptance  process ;  the 
user  might  also  have  to  employ  supplementary 
procedures,  which  would  generally  be  processed 
by  a  central  system. 

5.8  Time  and  Effort  Involved  in  Updating 

Good  security  practices  entail  periodic  re¬ 
issuing  of  the  variable  elements  of  the  system 
— passwords,  keys,  combinations,  encoded  arti¬ 
facts,  etc.  This  should  also  be  done  if  the  system 
is  suspected  to  have  been  compromised,  such  as 
through  loss  or  theft  of  a  key  or  artifact.  Soft¬ 
ware-implemented  provisions,  such  as  pass¬ 
words  (including  one-time  passwords),  may  be 
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relatively  easy  to  change  and  to  reissue,  as 
compared  to  picture  badges.  Some  push-button 
combination  locks  are  designed  to  permit  new 
combinations  to  be  entered  at  will;  locks  and 
keys  would  be  more  difficult  to  update.  The 
choice  of  an  access  control  scheme  would  thus 
be  influenced  by  how  often  updating  would  be 
required  and  the  effort  involved  in  carrying  this 
out. 

5.9  Processing  Required  in  Computer  System 

As  mentioned  earlier,  some  recognition 
schemes  involve  data  processing  to  support  the 
recognition  device.  This  processing,  which  could 
be  performed  on  a  general-purpose  machine  at 
a  central  location,  may  involve  such  tasks  as 
retreiving  profiles  of  user  characteristics,  com¬ 
paring  these  against  values  obtained  from  the 
individual,  coordinating  multiple  forms  of  access 
control,  and  performing  the  acceptance  or  re¬ 
jection.  These  functions  require  computer 
programs,  processing  capacity,  and  storage  in 
the  central  facility.  These  requirements  could  be 
significant  where  an  attribute  is  represented  by 
several  hundred  sampled  values  and  a  correla¬ 
tion  must  be  performed  between  the  file  set  and 
the  “live”  set.  Routines  for  supporting  the 
recognition  devices  would  generally  work  in 
conjunction  with  other  security  programs  in  the 
central  facility,  such  as  those  which  establish 
access  rights  of  users  and  device  identity  and 
which  perform  various  monitoring  functions. 

5.10  Reliability  and  Maintainability 

The  reliability  of  a  personal  recognition  de¬ 
vice  will  have  an  important  influence  on  the 
security  of  the  system  for  which  access  control 
is  being  provided.  Reliability  may  be  defined  as 
the  probability  that  the  device  will  perform  its 
intended  function  over  a  specified  interval  of 
operation.  A  distinction  should  be  made  be¬ 
tween  the  ability  of  the  device  to  properly  per¬ 
form  the  required  recognition  function  and  its 
ability  to  perform  dependably  on  a  continuing 
basis.  The  ability  to  perform  the  recognition 
process  correctly  may  be  considered  the  device 
effectiveness,  and  is  considered  in  determining 
the  FAR  and  IPR.  Reliability,  as  applied  to 
equipment  performance,  refers  to  the  ability  to 
continue  operating  at  the  nominal  level  of  ef¬ 
fectiveness  on  a  sustained  basis  without  drift¬ 
ing  out  of  tolerance  or  breaking  down. 

The  personal  identification  equipment  should 
be  designed  so  that  it  is  fail-safe,  in  that  it 
should  deny  access  if  a  failure  occurs  or  if  the 
power  is  cut  off.  It  should  be  provided  with 
detectors  to  warn  against  tampering.  For 
maintenance  purposes,  there  must  be  a  method 
for  disabling  these  protective  circuits,  but  this 


method  itself  must  be  secure  enough  to  prevent 
its  being  used  in  attempts  at  circumvention. 
The  need  for  allowing  multiple  identification 
attempts  was  stated  earlier ;  however,  the  num¬ 
ber  of  retries  should  be  limited  to  thwart  an 
imposter  who  might  try  to  gain  access  by  trial 
and  error. 

5.11  Cost  of  Protecting  the  Device 

With  certain  classes  of  devices,  a  knowledge 
of  their  internal  working  increases  their  vul¬ 
nerability  to  being  defeated.  If  such  a  device  is 
easily  stolen  and  carried  off  to  be  examined  at 
leisure,  the  entire  class  of  such  devices  could  be 
compromised.  Therefore,  physical  protection 
must  be  given  these  devices,  and  the  cost  of 
providing  that  protection  must  be  weighed. 

5.12  Cost  of  Distribution  and  Logistical 
Support 

Studies  indicate  that  costs  for  distribution 
and  logistical  support  can  exceed  20  percent 
of  the  total  value  of  the  contracted  price  of 
devices.  A  cost  factor  of  this  magnitude  should 
be  evaluated  when  devices  are  compared. 

6.  System  Considerations 

Each  of  the  categories  of  authentication 
methods  discussed  has  some  degree  of  vulner¬ 
ability.  A  password  or  the  combination  to  a 
lock  may  be  learned  by  another  person.  This 
could  happen  if  a  copy  were  left  in  some  exposed 
location,  or  the  user  might  secretly  be  observed 
while  using  it.  In  the  case  of  a  remote  system, 
a  password  or  any  set  of  transmitted  data 
might  be  obtained  via  a  wiretap  and  then  be 
used  to  gain  unauthorized  access.  Artifacts, 
such  as  badges,  cards  and  keys,  can  be  stolen 
and  used  by  an  unauthorized  person.  If  the  loss 
is  discovered,  it  may  be  possible  to  take  steps 
to  minimize  the  potential  damage;  however,  a 
clever  penetrator  might  appropriate  the  artifact 
only  long  enough  to  carry  out  a  specific  action 
and  then  return  it  without  anyone’s  having 
been  aware  of  its  misuse.  To  protect  against 
this  threat,  an  auditing  routine  should  be  in¬ 
corporated  into  the  system  which  maintains 
records  as  to  what  is  accessed,  under  what 
authentication,  and  for  what  purpose.  Users  of 
interactive,  multiple-user  systems  should  be 
provided  with  a  detailed  line-item  register  of 
every  access,  for  whatever  purpose  to  support 
user  billings.  Such  session  registers  should  in¬ 
clude  user  I.D.,  system  function  being  per¬ 
formed,  clock  item  or  System  Resource  Unit 
(SRU),2  line-item  cost  and  output  terminal 

2  A  System  Resource  Unit  (SRU)  is  an  entity  used  for 
accounting  purposes,  such  as  CPU  seconds,  disk  tracks,  and  so 
forth. 
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receiving  the  data.  The  user  should  analyze 
the  session  registers  against  his  access  logs 
very  carefully.  This  should  enable  the  detec¬ 
tion  of  unauthorized  accesses,  using  properly 
designed  and  monitored  controls. 

Each  of  the  categories  of  authentication 
methods  discussed  has  some  degree  of  vulner¬ 
ability.  Recognition  systems  based  upon  physio¬ 
logical  attributes  may  be  susceptible  in  varying 
degrees  to  cii'cumvention.  A  voice  recognition 
system  depending  upon  a  spoken  password 
might  be  deceived  by  a  recording  of  the  un¬ 
authorized  person.  A  picture  pass  might  be 
altered  or  counterfeited  to  carry  the  picture  of 
a  would  be  penetrator  in  the  place  of  an  un¬ 
authorized  individual,  or  a  pentrator  might 
disguise  himself  to  resemble  an  authorized 
individual  whose  pass  he  had  appropriated.  It  is 
possible  to  mold  fingerprint  impressions  into 
thin  rubber  gloves  which  might  be  worn  by  a 
would-be  penerator  for  the  purpose  of  foiling 
a  fingerprint  matching  system. 

Even  if  an  identification  method  could  carry 
out  its  function  entirely  accurately  and  were 
immune  to  decit,  it  would  still  be  necessary 
to  assure  that  it  could  not  be  circumvented  in 
some  other  way.  For  example,  a  recognition 
device  might  be  used  in  conjunction  with  a 
remote  terminal,  requiring  an  enabling  signal 
from  the  device  to  allow  use  of  the  terminal.  A 
would-be  penetrator  might  be  able  to  falsify 
this  signal,  thus  enabling  the  terminal  without 
the  need  for  recognition.  Another  form  of  cir¬ 
cumvention  might  involve  wiretapping,  in 
which  the  circuit  would  be  switched  from  the 
remote  terminal  to  an  intruder’s  terminal 
after  the  establishment  of  recognition  and 
login  by  a  legitimate  user.  In  order  to  avert 
suspicion,  the  intruder  could  send  a  fictitious 
message  to  the  legitimate  user  stating  that  the 
computer  was  temporarily  out  of  service.  It  is 
thus  evident  that  recognition  techniques  must 
be  incorporated  within  complete  systems  where 
a  hierarchy  of  provisions  are  made  to  assure 
overall  system  integrity.  This  could  include 
the  use  of  encryption  for  data  and  control 
signals. 


6.1.  Unauthorized  Users  Versus  Unauthorized 
Usage 

Within  the  context  of  system  security,  per¬ 
sonal  identification  is  employed  to  provide 
assurance  that  only  authorized  users  are 
granted  access  to  the  system.  Even  if  the  per¬ 
sonal  identification  scheme  were  100  percent 
effective,  however,  there  would  still  be  certain 
risks  and  these  require  different  kinds  of  safe¬ 
guards.  These  risks  are  predominantly  the 
following: 


(1)  Coercion  of  an  authorized  user  to  pro¬ 
vide  access  for  an  unauthorized  person.  Coer¬ 
cion  might  take  the  form  of  a  physical  threat 
or  some  type  of  extortion. 

(2)  Collusion  between  an  authorized  user 
and  an  unauthorized  person,  possibly  involving 
bribery. 

(3)  Performance  of  unauthorized  actions  by 
an  authorized  user  either  deliberately,  for  pos¬ 
sible  personal  gain,  or  through  error  or  care¬ 
lessness. 

It  should  be  evident  that  simply  assuring  the 
correct  identity  of  authorized  users  is  not 
sufficient  to  counter  the  above  threats.  Other 
provisions  must  be  included  within  the  overall 
security  program  to  safeguard  against  these 
threats.  Some  of  these  provisions  are  adminis¬ 
trative,  including  the  screening  of  individuals 
in  the  hiring  process  and  in  the  granting  of 
authorization,  with  periodic  follow-up  security 
checks,  and  the  bonding  of  individuals  in  sensi¬ 
tive  positions  [7]. 

A  full  discussion  of  system  security  meas¬ 
ures  is  beyond  the  scope  of  this  Guideline ;  for 
further  information,  the  reader  is  referred  to 
Computer  Security  Guidelines  for  Implement¬ 
ing  the  Privacy  Act  of  197 U-  FIPS  PUB  41  [18]. 
Additional  references  on  controlled  accessibility 
may  be  found  in  the  Controlled  Accessibility 
Bibliography ,  NBS  Technical  Note  780  [8]. 
However,  certain  system  considerations  which 
are  closely  related  to  personal  identification 
are  described  briefly  below. 

6.2.  Duress  or  Hostage  Alarm 

Protection  can  be  provided  for  the  case  of 
an  authorized  individual  being  forced  to  gain 
access  on  behalf  of  an  intruder.  This  is  done 
by  incorporating  a  secret  procedure  which 
would  be  invoked  by  the  hostage  in  the  process 
of  seeking  access  to  the  system.  It  might  be 
necessary  to  grant  access  to  the  system,  in 
order  to  avert  suspicion  on  the  part  of  the  in¬ 
truder,  so  as  not  to  jeopardize  the  hostage,  but 
other  security  measures  could  be  invoked,  once 
the  threat  were  made  known.  Many  devices  for 
personal  identification  include  provisions  for 
such  a  duress  (or  hostage)  alarm. 

6.3.  Establishing  and  Checking  Authorization 

Control  of  access  to  system  resources  is  gov¬ 
erned  by  previously-established  authorization. 
Authorization  applies  to  the  following  factors : 

(1)  The  set  of  individuals  authorized  to  use 
the  system, 

(2)  Data  necessary  to  achieve  personal 
identification, 
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(3)  System  resources  (data  files,  programs, 
terminals,  peripherals ;  also  classes  of  activity : 
read-only,  read/write,  execute,  search,  transac¬ 
tions,  program  generation,  privileged  instruc¬ 
tions), 

(4)  Data  necessary  for  resource  identifica¬ 
tion  (such  as  identification  code  for  a  terminal), 

(5)  Authorization  relationships  between 
authorized  individuals  and  system  resources. 

The  process  of  establishing  the  above  infor¬ 
mation  is  called  authorization  definition.  Au¬ 
thorization  checking  is  performed  whenever 
access  is  attempted  to  the  system  or  system 
resources. 

6.4.  Auditing  of  System  Access 

Provision  should  be  made  for  the  logging  of 
accesses  to  a  system  in  order  to  provide  a  rec¬ 
ord  of  who  accessed  the  system,  what  was  ac¬ 
cessed,  and  what  actions  were  performed.  This 
information  is  useful  in  auditing  system  activi¬ 
ties  and  in  discovering  and  tracing  possible 
.intrusions.  Logging  is  performed  after  an 
authorized  access  has  been  granted. 

6.5.  Encryption 

Terminal  security  can  be  violated,  despite 
controlled  access  to  the  terminal,  by  the  use  of 
wiretapping  techniques.  This  could  be  done  by 
using  another  terminal  that  poses  as  the 
authorized  terminal  by  imitating  its  responses 
to  the  system.  For  this  reason  some  method 
of  protecting  a  system  from  such  imposters  is 
needed.  The  most  effective  technique  is  en¬ 
cryption  of  communications  to  and  from  the 
terminal. 

Encryption  is  achieved  either  through  a 
secret  process  (that  is,  the  manner  in  which 
data  is  transposed  and/or  substituted)  or 
through  a  commonly  known  process  which  de¬ 
pends  on  a  secret  parameter  (called  a  “key”) 
used  by  the  process.  In  order  to  allow  compati¬ 
bility  of  encryption  processes  within  the  typi¬ 
cal  variety  of  network  components,  the  latter 
method  is  preferred.  The  encryption  process  is 
generally  specified  in  an  algorithm  (a  set  of 
rules  or  steps  for  performing  a  task).  Decryp¬ 
tion  is  the  inverse  process.  Even  with  encryp¬ 
tion,  it  might  still  be  possible  for  an  imposter 
to  imitate  encrypted  responses  of  a  fixed  nature 
if  they  were  always  the  same.  However,  it  is  a 
relatively  simple  matter  in  a  system  to  use 
numbering  schemes  in  the  dialogue  that  would 
cause  the  responses  to  be  encrypted  in  a  man¬ 
ner  that  would  be,  in  practice,  impossible  for  an 
imposter  to  imitate. 


The  National  Bureau  of  Standards  has  pub¬ 
lished  an  encryption  algorithm  which  satisfies 
the  primary  technical  requirements  of  a  data 
encryption  standard.  This  standard  will  be 
promulgated  as  Federal  Information  Processing 
Standard  (FIPS)  46,  Data  Encryption  Stand¬ 
ard,  dated  1977  January  15.  The  algorithm  may 
be  implemented  in  presently  available  elec¬ 
tronic  technology,  using  hardware  developed 
for  this  purpose. 

Control  devices  must  be  constructed  to  for¬ 
mat  the  data  for  the  encryption  device  and  to 
transmit  and  receive  the  encrypted  data.  The 
design  of  these  devices  will  depend  on  the  ter¬ 
minal  and  the  communication  network  to  which 
it  is  attached. 

Data  encryption  keys  must  be  created  and 
distributed  to  authorized  personnel.  They  must 
be  protected  at  all  times  and  changed  fre¬ 
quently.  Periodic  changes  are  suggested  and 
immediate  changes  are  necessary  if  a  com¬ 
promise  is  suspected  to  have  occurred. 
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